Now is a good time to be considering, or reconsidering, cyber insurance.
The Australian cyber insurance market is in its infancy, compared with the United States. A significant driver of the market in the United States has been data breach notification laws, first enacted in California in 2002, with the other States following California’s lead.
Come February, Australia’s data breach notification laws will come into force so it is likely, if the US is any guide, that the cyber insurance market will begin to soar in Australia next year.
So now is the time to consider whether cyber insurance could be a useful and cost-effective risk transfer mechanism for your organisation.
Your existing cover probably won’t cut it
You may have existing cover – for example directors and officers insurance – but it is likely that any such insurance – without specific endorsements – will not cover losses arising out of cyber security issues. Indeed, some general policies contain specific exclusions for cyber-related losses.
‘Bolt-on’ or bespoke?
As noted above, it is possible to seek cyber endorsements or extensions to existing cover.
Depending on the level of risk your organisation faces – as to which, see further below – and on the size of your organisation (and your budget), cyber ‘bolt-on’ endorsements might be appropriate.
However, for larger organisations, or organisations facing more complex or uncertain risk environments, bespoke cover is preferable.
Start at the beginning
Ask any lawyer about cyber insurance and their first response is likely to be, look at the policy wording.
That is valid, but in fact there is much work to be done before you are ready even to call your insurance broker, let alone to evaluate specific policies and policy wording.
First of all, make sure you understand what cyber insurance is – and what it isn’t.
Cyber insurance is not – not yet anyway – comprehensive cover against cyber risk. In fact, some commentators go so far as to say that most cyber risks are not insurable.
So then what is cyber insurance? Cyber insurance offers coverage for, or mitigation of, certain specified, limited cyber risks.
By far the best way to reduce cyber risk is to prepare your organisation and invest in cyber protection measures. This is your first and best line of defence – a role that you should not be asking cyber insurance to fulfil.
Before approaching the cyber insurance market you therefore need to know what cyber risks you are faced with and which ones you want to cover.
Your organisation’s decision to procure cyber insurance must be made from a position of a full understanding of:
- the cyber risks facing it
- which risks can be satisfactorily addressed, mitigated or managed
- what are the remaining or residual risks?
Then your organisation is prepared to ask the threshold question – in respect of any or all of the identified residual risks, is your organisation prepared to pay an insurer to transfer some of the risk away from your organisation to the insurer?
Framed in this way, decisions about cyber insurance can be made as a trade-off between the potential exposures arising from uninsured residual risk and the cost of premiums to cover, or at least partially cover, certain aspects of those risks.
Your potential insurer will want to see that your organisation has a thorough understanding of, and is prepared for, the cyber risks it faces.
Your organisation’s cyber sophistication or maturity will feed into the cover insurers are prepared to offer and into the premiums you will pay.
So before you pick up the phone to your broker make sure your own house is in order. What has your business done to assess and address cyber and information security?
Ensure that your organisation has undertaken a robust risk assessment. You might choose to apply one or more of the well known risk assessment frameworks such as the NIST Cybersecurity Framework, as recommended by ASIC. You may choose to follow guidance from the Australian Signals Directorate, for example, its Essential Eight Mitigation Strategies.
There are many other resources available to guide cyber risk assessments.
The first step must be an audit of your organisation’s information holdings and data assets. An information audit will enable you to understand:
- what information your organisation holds
- what types of information your organisation holds; by which I mean, understand whether you have certain types of data that are more sensitive and therefore require more attention from a risk perspective.
Undertaking an effective risk assessment establishes the foundations for your organisation’s decisions about cyber insurance.
Towards policy wording
Ask your broker for a commercial conversation about what risks and risk scenarios are and are not covered.
These should fall out of your risk assessment exercise, as described above. At this stage, the discussion should be about how the proposed policy addresses the particular residual risks your organisation has identified for risk transfer by means of cyber insurance.
Will your putative cyber insurance cover the risks you need to have covered?
If you are satisfied at this level, sanity check the proposed policy wording against those representations.
If possible, ask your broker to provide alternative products and policy wordings for your review.
If you are not satisfied, ask to negotiate policy terms.
Cyber insurance policy words and exclusions throw up some unique considerations.
Maintaining cyber/ICT security
Policies may contain an exclusion that will preclude a payout if your organisation has not consistently implemented best cyber practice; for example, applying vendor supplied patches and updates with fixes.
If your cyber policy has this exclusion, as a cyber governance issue (and not to mention as good cyber hygiene), your organisation will need to ensure that it is on top of patching and updating and other cyber security basics – for example, as laid out in the ASD’s ‘Strategies to Mitigate Cyber Security Incidents’ (aka ASD’s ‘Essential Eight’).
The ‘insider threat’ and social engineering
Is your organisation looking to cover ‘insider threat’ cyber breaches? This is a significant type of cyber attack, yet such threats are commonly excluded from cyber insurance policies.
Other potential risk areas that might at first seem like obvious areas of coverage may not in fact be covered or insurable. For example, it is well known that ‘social engineering’ attacks such as phishing or whaling are a key area of risk. But cover for such risks should not be assumed. In fact such cover is not the norm.
The classic phishing or whaling attack, where an employee is duped into transferring funds to a third party because of an email that looks like it comes from the CEO? More than likely, not covered.
Compliance with software licences
Cyber cover may contain an exclusion that operates in circumstances where the insured may be operating outside of software licence specifications or contracted licence metrics. This can include such things as permitted user numbers or transaction volumes.
It is common for licensees to inadvertently exceed or breach such licence metrics. That is why software licences and SaaS agreements commonly provide for the licensor or service provider to audit compliance with such metrics. The usual contractual outcome in cases where licence metrics are exceeded is to adjust licence fees.
Check such clauses carefully, if your cover can be voided by an inadvertent breach of licence terms, that is a considerable area of risk.
Check whether your policy requires you to notify insurers of vulnerabilities identified in IT security audits.
Time based deductibles
We’re all familiar with insurance deductibles or excesses, but cyber policies may contain ‘time based’ deductibles, which mean that no claim can be made until a certain period of time has elapsed after a claim event arises. The impact of such deductibles on the insured’s ability to make a claim for loss and damage should be considered carefully.
A number of cyber policies reviewed by this author require the insured to certify losses within a specified period, say 90 days, after the claim event occurs. This type of requirement represents a significant risk to policy holders as loss and damage caused by a cyber event may continue for a significant period – months or even years after the event.
In the immediate aftermath of a cyber incident, it is difficult to calculate future or anticipated losses regarding impacts that may be identified at the time and it is probably effectively impossible to exhaustively identify all the future implications of a cyber breach (the Rumsfeldian ‘unknown unknowns’).
Pay very close attention to exclusions regarding cyber losses caused by certain classes of actors.
We’re familiar with exclusions for acts of war and foreign governments, for example, so it is somewhat tempting to gloss over these provisions as common fare for insurance policies.
However, it is well known that identifying the course of cyber attacks is highly problematic – the problem of ‘attribution’.
This type of exclusion seems, to this author at least, to assume that attribution is a straight forward exercise. When it comes to cyber, it most certainly is not. The risk for the policy holder is that this type of exclusion therefore represents a significant area of uncertainty.
It is a truism of the cyber threat landscape that threats are continually evolving. Threats that we do not know about or anticipate today can be a reality tomorrow.
From the insured’s perspective, policies need to be sufficiently flexibly worded so that cover does not fail to respond to threats that are unknown at the time the policy is entered into.
In this author’s view, there are some critical areas of uncertainty where the insurance industry has yet to develop fully satisfactory policy offerings. Accordingly a risk-first approach as outlined above is vital to ensure that your organisation is purchasing cyber insurance on a sound basis rather than on the basis or potentially ill-founded assumptions about what cyber insurance does or will cover.
Finally, given the unique issues posed by cyber insurance policies and policy wording, we would strongly recommend having any proposed policy legally reviewed to ensure your organisation fully understands the extent of any proposed cyber cover and in particular, what is excluded from that cover.
|Sean Field | Special Counsel
T +61 3 9258 3397
 See ASIC Report 429, Cyber resilience: Health check, March 2015.